Cookie law: websites must seek consent from this weekend

Friday marks the last working day for UK businesses to prepare their websites for a new law governing the use of cookies.

From Sunday, sites must obtain "informed consent" from visitors before saving cookies on a machine.

Cookies are pieces of personal data stored when users browse the web, sometimes to power advertising.

The Information Commissioners Office (ICO) is to launch a tool for the public to report non-compliant sites.

It is expected that the vast majority of websites will not be ready in time.

However, the ICO has said it would not take immediate action over non-compliant sites, and would instead offer guidance.

Tracking data

The rules are designed to tackle privacy issues resulting from the growing use of cookies which track users' browsing habits.

The guidelines, set by the EU, mean visitors must be told what cookies are being placed on their machine.

Typically, this will mean a pop-up window seeking consent.

The BBC, which brought its site in line with the guidelines
on Thursday, allows users to opt out of cookies the first time they
visit the website.

An Ipsos MORI poll, commissioned by privacy solutions
provider Truste, suggested that while 84% of online consumers aged 16-64
were aware of internet cookies, just 24% knew about the new guidelines.

The owners of non-compliant websites face fines of up to
£500,000, but the ICO has played down the threat of such serious action,
telling the BBC it would take a soft approach to enforcement.

"Up until now, if we received a complaint about your website
we would point you in the direction of our guidance," said Dave Evans,
group manager for the ICO.

"Given that everyone has had a year [to comply], we're going
to shift from that kind of approach to one which will be very much more
focused on those people who don't appear to have done anything and
asking them 'why not?''"

Last week the government admitted that most of its sites
would not comply with the new rules in time. It said it was "working to
achieve compliance at the earliest possible date".

The ICO insisted this weekend was not a deadline, but an attempt to help companies focus on their general cookie use.

"We never said was that if you're not compliant by 27 May we will come and get you," Mr Evans told the BBC.

"What we want is good compliance, not rushed compliance. If it's focused people's minds, that's a good thing."

Changed stance

The ICO has come under criticism from businesses for not being entirely clear about what constitutes compliance.

Vinod Bange, a data privacy specialist from law firm Taylor
Wessing, said many businesses were nervous about implementing solutions.

"A lack of education and clear guidelines from the ICO on
what constitutes compliance has left many businesses unsure of how to
meet the directive with only one working day to go," he said.

"Few businesses want to be the first to adopt a specific
approach. This is a risky game, as some organisations may be made an
example of in order to set the parameters of compliancy moving forward."

This concern was shared by Tim Gurney, managing director of Wolf Software, a firm which helps websites become compliant.

He said the lack of clear guidance had led to some firms adopting systems which damaged the way visitors interacted with sites.

"Some of the implementations are very poor. For me, they're making a mistake because users will stop using their sites.

"Those kind of solutions I can see being changed as the user starts to say 'I don't like that'."

Industry help

Mr Evans defended the ICO's approach, saying the ambiguity was
to enable websites to interpret the rules to best suit their own
audience and website design.

He also told the BBC that he believed that in the long term
issues over cookie use should be regulated by the industry rather than
government.

"What we want to do is look at where our resources can best be put," he said.

"If we were putting all our resources into investigating
cookies, well, the people would quite rightly be asking where our
priorities lie.

"Regulators have got resources that are not infinite. The
best solutions are where industry sits down and develops it themselves.
The more they can do, the easier it is for us to regulate."